1. Introduction

This Privacy Policy ("Policy") governs the collection, use, processing, storage, disclosure, and protection of Personal Data and Sensitive Personal Data by RazorClinic ("Company," "we," "our," "us"). RazorClinic provides a cloud-based clinic management platform used by healthcare providers ("Clients"). By accessing or using the Platform, you acknowledge and agree to this Policy.

2. Definitions

• Personal Data: Any information that identifies an individual.
• Sensitive Personal Data: Health records, medical history, diagnostics, biometric or financial data.
• Data Controller: The Clinic/Healthcare Provider.
• Data Processor: RazorClinic.
• Data Subject: Patient or end-user.

3. Role Clarification

RazorClinic acts strictly as a Data Processor. Clinics act as Data Controllers and are solely responsible for:

• Lawful data collection
• Patient consent
• Data accuracy
• Regulatory compliance

RazorClinic does not control, verify, or take responsibility for medical or personal data entered by Clients.

4. Data We Collect

4.1 From Clinics

• Business information
• User accounts and staff data

4.2 From Patients (via Clinics)

• Personal details (name, phone, email, address)
• Medical records, prescriptions, reports
• Appointment and treatment history

4.3 Financial Data

Billing, invoices, and payment metadata are processed via third-party gateways; RazorClinic does not store card data.

4.4 Technical Data

• IP address, device data
• Logs, access records, usage analytics

5. Purpose of Processing

We process data strictly for:

• Platform functionality and service delivery
• Record management and workflow automation
• Billing and subscription management
• Security monitoring and fraud prevention
• Legal and regulatory compliance

We do NOT use patient data for advertising or resale.

6. Legal Basis

Processing is based on:

• Contractual necessity (SaaS agreement)
• Explicit consent obtained by Clinics
• Legal obligations
• Legitimate interests (security, system integrity)

7. Explicit Consent Framework

Clinics are solely responsible for:

• Obtaining patient consent
• Maintaining consent logs
• Defining purpose of data usage

RazorClinic shall not be liable for absence or invalidity of consent.

8. Data Security Measures

We implement enterprise-grade safeguards including:

• AES-256 encryption at rest
• TLS encryption in transit
• Role-based access control (RBAC)
• Multi-factor authentication (optional)
• Audit logs and access tracking
• Infrastructure security such as firewalls and intrusion detection

Despite safeguards, no system is 100% secure.

9. Data Retention Policy

Data is retained during an active subscription. After termination, data is kept for a 30–90 day retention window, then permanently deleted or anonymized. Legal retention obligations override deletion requests.

10. Data Localization & Transfers

Data may be stored on cloud servers within or outside India. We ensure contractual safeguards and industry-standard protection mechanisms.

11. Third-Party Processors

We may engage cloud providers, payment gateways, and communication services. All vendors are bound by strict data protection obligations.

12. Audit Logs & Traceability

RazorClinic maintains logs of user access, data modifications, and system activities. These logs may be used for compliance, dispute resolution, and forensic analysis.

13. Data Breach Policy

In case of a breach, we will notify affected Clients within a reasonable timeframe (target: 72 hours). Clinics are responsible for notifying patients and regulators.

14. User Rights

Subject to applicable law, users may request access, correction, deletion, or restriction of processing. All requests must be routed through the Clinic (Data Controller).

15. Limitation of Liability

To the maximum extent permitted by law, RazorClinic shall NOT be liable for:

• Clinical decisions or medical outcomes
• Incorrect or fraudulent data entered by users
• Unauthorized access due to compromised credentials

Total liability is limited to fees paid by the Client in the last 12 months.

16. Indemnification

Clients agree to indemnify, defend, and hold harmless RazorClinic from regulatory penalties, data misuse claims, patient disputes, and non-compliance with healthcare laws.

17. No Medical Responsibility Clause

RazorClinic is a technology platform only and does not provide medical advice, validate diagnoses, or influence treatment decisions. All medical responsibility lies solely with the healthcare provider.

18. Children & Minor Data

Clinics must obtain guardian consent before processing minor data.

19. Cookies & Tracking

We use cookies for authentication, performance tracking, and analytics. Users may disable cookies via browser settings.

20. Compliance Framework

We aim to align with the Indian IT Act, 2000 & SPDI Rules, HIPAA (where applicable), and GDPR for international users.

21. Termination & Data Exit

Upon termination, Clients may request data export. Data will be deleted after the retention period. Recovery beyond this period is not guaranteed.

22. Changes to Policy

We reserve the right to update this Policy. Continued use constitutes acceptance of changes.

23. Governing Law & Jurisdiction

This Policy is governed by the laws of India. Jurisdiction shall lie in Jaipur, Rajasthan.

24. Contact Information

Company: RazorClinic
Email: contact@razorclinic.com